You are being watched: Many apps can still track you, even if you turn off location services

Mobile phones, particularly of the smart variety, often come equipped with location tracking sensors that are used mainly for on-device navigation. These sensors enable phones to make full use of apps meant for maps, ride-sharing, and even simple web browsing, so most users tend leave them on all the time as they are often used.

However, since these location sensors can give away a user’s exact location at any given moment – provided that the signal strength is good enough – some users opt to turn the location trackers on their devices off to avoid being spied on. Now, a group of researchers has revealed that it’s still possible to keep tracking a user’s location even if their device’s location sensors have all been turned off.

Typically, smartphones and other smart devices are equipped with GPS antennas, which are used in conjunction with a bunch of other sensors that make up its communications interfaces. While most location-centric actions make use of the built-in GPS in phones and other smart devices nowadays, other sensors like accelerometers and gyroscopes can be tapped to give away info on a user’s location as well, said the researchers.

According to Guevara Noubir, a professor of Computer and Information Science from Northeastern University, he recently conducted a study along with some of his colleagues that focused on what they call “side channel attacks,” and uncovered ways that apps can keep working despite restrictions and end up putting users at risk. A side channel attack is a term in computer security that refers to any attack that is based on information gained from the physical implementation of a particular computer system — in this case, smartphones — instead of weaknesses in any underlying algorithms.

The information gathered by the researchers showed that a phone can be used to “listen in” on a user’s finger-typing technique and find out the password or PIN code that they just entered. They even showed how it’s possible for data companies to find out where you are and where you’re going simply by carrying a phone in your pocket. And what’s more, they have only begun to scratch the surface of what’s possible with these types of devices.

The researchers performed their “passcode attack” as part of one recent project, wherein they developed a dedicated app that could be used to determine what letters a user is typing on his or her on-screen keyboard – despite not looking at the act of typing directly. Instead, the researchers combined information from the built-in gyroscope and microphone in user smartphones.

Guevara explains the method that they used thusly: “When a user taps on the screen in different locations, the phone itself rotates slightly in ways that can be measured by the three-axis micromechanical gyroscopes found in most current phones.” He said that the simple act of tapping on a phone screen also produces sound that can be recorded on one or more of a phone’s built-in microphones. Using information that can be gleamed from these sound recordings can evidently be used to find out exactly what letters are being tapped on the on-screen keyboard.

“Processing the movement and sound data together let us determine what key a user pressed, and we were right over 90 percent of the time,” Guevara said. “This sort of function could be added secretly to any app and could run unnoticed by a user.”

Meanwhile, in a separate project, the researchers tried to determine a user’s location only through the use of sensors that don’t require permissions. They opted to go for the built-in digital compass in phones to observe a user’s direction of travel. Then they checked data from the phone’s gyroscope to measure the sequence of turn angles, effectively mapping out the route being taken by the user in real time. They also made use of the accelerometer to measure starts and stops in a user’s movement.

What they learned was that it was indeed possible to perform routine surveillance on a user without the use of normal location tracking methods. “We assume there is more your phone can tell a snoop,” Guevara said, “and we hope to find out what, and how, to protect against that sort of spying.”